Computer method for solving sparse linear constraints

ABSTRACT

A computer implemented method for solving linear arithmetic constraints that combines a solver for difference constraints with a general linear arithmetic constraint solver. When used to solve sparse linear arithmetic constraints, the time and space complexity of the process is determined by the difference constraint component.

BACKGROUND

A significant objective of program analysis and verification is to determine that the software performs its intended functions correctly, to ensure that it performs no unintended functions, and to provide information about its quality and reliability. Theorem proving in the form of constraint solving is an important application for software analysis and verification. Many program analysis and verification tasks involve checking the satisfiability of a set of integer linear arithmetic constraints. These constraints appear naturally during reasoning about arrays and scalar counters in programs. Moreover, these queries usually contain a mixture of other theories (e.g., uninterpreted functions) and quantifiers, in addition to linear arithmetic constraints.

As the problem of checking the satisfiability of a set of integer linear arithmetic constraints is NP-complete, there is a practical need to develop algorithms that effectively solve the instances of the problem that occur in practice. These algorithms should also be designed to operate in a setting where the queries involve a combination of ground theories, and possibly quantifiers.

In most verification benchmarks, the linear arithmetic constraints are dominated by simple difference constraints of the form x≦y+c, where x and y are variables and c is a constant. These constraints naturally arise in many applications. For instance, the array bounds' check in a program and the timing constraints in job scheduling can be specified as difference constraints. It has also been observed that many of the arithmetic constraints that arise in verification or program analysis mostly comprise difference constraints.

Efficient polynomial algorithms exist for solving the satisfiability of difference constraints. For a given theory T, a decision procedure for T checks if a formula φ in the theory is satisfiable, i.e., it is possible to assign values to the symbols in φ that are consistent with T, such that φ evaluates to true. However, these algorithms become incomplete with the presence of even a very few non-difference constraints. A set of linear arithmetic constraints may be defined as sparse linear arithmetic (“SLA”) constraints, when the fraction of non-difference constraints is very small compared to the fraction of difference constraints. SLA constraints make it difficult to exploit the efficiency of difference constraint solvers for solving many program analysis queries. At present, there is a need for efficient algorithms for solving SLA constraints.

Moreover, decision procedures currently do not operate in isolation, but form a part of a more complex system that can decide formulas involving symbols shared across multiple theories. In such a setting, a decision procedure has to support the following operations efficiently:

-   -   (i) Satisfiability Checking: Checking if a formula φ is         satisfiable in the theory;     -   (ii) Model Generation: If a formula in the theory is         satisfiable, find values for the symbols that appear in the         theory that makes it satisfiable. This is important for         applications that use theorem provers for test-case generation;     -   (iii) Equality Generation: The Nelson-Oppen framework for         combining decision procedures requires that each theory produces         the set of equalities over variables that are implied by the         constraints;     -   (iv) Proof Generation: Proof generation can be used to certify         the output of a theorem prover. Proofs are also used to         construct conflict clauses efficiently in a lazy SAT-based         theorem proving architecture.

A set of general linear arithmetic constraints can be solved using the Simplex algorithm. The Simplex algorithm is a known technique for numerical solution of the linear programming problem. The method uses the concept of a simplex, which is a polytope of N+1 vertices in N dimensions, e.g., a line segment on a line, a triangle on a plane, a tetrahedron in three-dimensional space and so forth. Details relating to the Simplex algorithm are set forth in G. Dantzig, “Linear programming and extensions,” Princeton University Press, Princeton N.J., 1963, which publication is incorporated by reference herein in its entirety.

Under the theory of difference constraints defined above, the atomic formula may be expressed as x₁−x₂

c, where x₁, x₂ are variables, c is a constant and

is a placeholder for an operand {≦, ≧, =}. Constraints of the forms x

c may be converted to the above form by introducing a special vertex x_(orig) to denote the origin, and expressing the constraint as x−x_(orig)

c. The resultant system of difference constraints is equisatisfiable with the original set of constraints. Moreover, if ρ satisfies the resultant set of difference constraints, then a satisfying assignment ρ′ to the original set of constraints (that include x

c constraints) can be obtained by assigning ρ′(x)≐ρ(x)−ρ(x_(orig)), for each variable. A set of difference constraints (both over integers and rationals) can be decided in polynomial time using negative cycle detection (“NCD”) algorithms. These NCD algorithms detect negative weight cycles in a directed graph.

Thus, algorithms exist for solving difference constraints using linear space. However, these solutions cannot be used to solve general linear arithmetic including both difference constraints and non-difference constraints.

SUMMARY

The present system relates to a computer implemented process for an efficient decision procedure for SLA constraints. The process combines a solver for difference constraints with a solver for general linear constraints. In general, the process may operate according to the follow steps. The process first checks the satisfiability of φ_(D) using a negative cycle detection algorithm. If φ_(D) is unsatisfiable, the process returns unsatisfiable. Otherwise, SP(x,y) is used to describe the length of the shortest path from the (vertices corresponding to) variable x to y in the graph induced by φ_(D). The set of difference constraints may then be generated over Q:

φ_(Q) ≐Λ {y−x≦d|x ε Q, y ε Q, SP (x, y)=d}.

The process next checks the satisfiability of φ_(L) Λ φ_(Q) using a linear arithmetic decision procedure. If φ_(L) Λ φ_(Q) is unsatisfiable, then the process returns unsatisfiable. Otherwise, ρ_(L) is a satisfying assignment for φ_(L) Λ φ_(Q) over L.

Lastly, the process generates a satisfying assignment ρ_(D) to the formula φ_(D) ΛΛxεQ (x=ρL(x)), using a negative cycle detection algorithm. ρ_(x)≐ρ_(d) °ρ_(L) is returned as a satisfying assignment for φ.

The process for SLA constraints according to the present system may be implemented within a computing environment, and may provide a result which may be stored within and reported by the computing environment. As used herein, reporting the results may include, but is not limited to, displaying the results over a monitor associated with the computing environment, printing the results with a printer associated with the computing environment, sending the results to a speaker associated with the computing environment, communicating the result over a transmission medium, and sending the results to a file for storage or use by another application program.

An unsatisfiable state is returned only when a set of constraints implied by φ is detected to be unsatisfiable. To show that the process is complete (for both integer and rational arithmetic), it can be seen that if φ_(D) and φ_(L) Λ φ_(Q) are each satisfiable, then φ is satisfiable. This is achieved by showing that a satisfying assignment ρ_(L) for φ_(L) Λ φ_(Q) can be extended to an assignment ρ_(x) for φ, such that φ is satisfiable.

The resulting process enjoys polynomial complexity, or near polynomial complexity, and linear space, when the number of non-difference constraints is small. Given m difference constraints over n variables, the complexity of the negative cycle detection algorithm may be denoted NCD(n, m). The space complexity for NCD(n, m) is O(n+m), and the upper bound of the time complexity is O(n.m), although many algorithms have a better complexity. Similarly, with m constraints over n variables, the complexity of the linear arithmetic procedure under consideration may be denoted LAP(n,m). For example, if Simplex is used as the (rational) linear arithmetic decision procedure, then the space complexity for LAP(n,m) is O(n,m) and the time complexity is polynomial in n and m in practice.

The combined solvers can also be extended to generate implied equalities over variables that are implied by the constraints. In addition, the decision procedure generates models for satisfiable formulas.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart for solving linear arithmetic constraints that combine a solver for difference constraints with a general linear arithmetic constraint solver.

FIG. 2 is a flowchart for generating a set of equalities between variables implied by the constraint φ.

FIGS. 3A and 3B are graphs showing a comparison of the process of the present system with two different implementations for solving linear arithmetic constraints: (i) Simplify-Simplex: the linear arithmetic solver in the Simplify theorem prover, and (ii) Zap-UTVPI: an implementation of UTVPI decision procedure in Zap.

FIG. 4 is a block diagram of a computing system environment capable of implementing the present system.

DETAILED DESCRIPTION

Embodiments of the present system will now be described with reference to FIGS. 1 through 3B, which in general relate to a computer implemented method for solving sparse linear arithmetic constraints. Following is an introduction to the principles utilized in embodiments of the present system. Following that is a description of the embodiments of the present system.

By way of introduction, most queries that arise in software verification are dominated by difference constraints. For example, more than 95% of the linear arithmetic constraints are restricted to difference constraints for a set of program verification benchmarks. Difference constraints are a restricted class of linear arithmetic constraints of the form x

y+c, where x and y are variables, c is a constant and

is a placeholder for an operand {≦, ≧, =}. In embodiments of the present system, decisions procedures are devised for sparse linear arithmetic (“SLA”) constraints including both difference and non-difference constraints.

There are well-known, efficient decision procedures for difference constraints. Given a set of difference constraints, one can reduce the problem of checking its satisfiability to the problem of detecting negative cycles in an appropriately generated graph. Then, any of the negative-cycle-detection algorithms can be used to decide the given constraints. For instance, the classic Bellman-Ford algorithm can decide m difference constraints on n variables in O(n.m) time and O(n+m) space complexity. Other algorithms may improve the running time to O(n^(2.5)). All these algorithms also generate a satisfying assignment to the variables in the constraints if one exists. Previously, a negative cycle detection algorithm has been extended to generate equalities over variables for difference constraints, without significant effect on the complexity of the algorithm. See, S. K. Lahiri and M. Musuvathi, “An Efficient Nelson-Oppen Decision Procedure for Difference Constraints over Rationals,” Proceedings of the Third Workshop on Pragmatics of Decision Procedures in Automated Reasoning (PDPAR 2005), 144(2):27-41, 2005, which publication is incorporated by reference herein in its entirety.

The following is a high-level description of some notations and theorem provers based on the Nelson-Oppen combination. An expression in the logic can either be a term or a formula. A term can either be a variable or an application of a function symbol to a list of terms. A formula can be the constants true or false or an atomic formula or Boolean combination of other formulas. Atomic formulas can be formed by an equality between terms or by an application of a predicate symbol to a list of terms. A literal is either an atomic formula or its negation. A conjunction of literals may be identified as I₁ Λ I₂ . . . I_(k) with the set {I¹, . . . I_(k)}.

The function and predicate symbols can either be uninterpreted or can be defined by a particular theory. For instance, the theory of integer linear arithmetic defines the function-symbol “+” to be the addition function over integers and “<” to be the comparison predicate over integers. For a theory T, the signature Σ denotes the set of function and predicate symbols in the theory. If an expression E involves function or predicate symbols from two (or more) theories T₁ and T₂, then E is said to be an expression over a combination of theories T₁ ∪ T₂.

A formula F is said to be satisfiable if it is possible to assign values to the various symbols in the formula from the domains associated with the theories to make the formula true. A formula is valid if

F is not satisfiable. Formula A is said to imply a formula B (A

B) if and only if (

A) V B is valid. A satifiability procedure for Σ-theory T checks if a formula φ (over Σ) is satisfiable in T.

A decision procedure for a set of constraints in linear arithmetic (or its subset like difference logic) can either be used in isolation, or more often to solve a set of constraints over a combination of theories including linear arithmetic. For the latter case, Nelson and Oppen provided a framework for deciding formulas over multiple theories by modularly combining decision procedures for the different theories. Their framework is described in a paper: G. Nelson and D. C. Oppen, “Simplification by cooperating decision procedures,” ACM Transactions on Programming Languages and Systems, (TOPLAS), 2(1):245 257, 1979, which paper is incorporated by reference herein in its entirety.

In general, given two convex and stably infinite theories T₁ and T₂ with disjoint-signatures Σ₁ and Σ₂ respectively (i.e. Σ₁ ∩ Σ₂={ }), and a conjunction of literals φ over Σ₁ ∪ Σ₂, the goal is to find whether φ is satisfiable under T₁ ∪ T₂. Nelson and Oppen provided a method for modularly combining the satisfiability procedures for T₁ and T₂ to produce a satisfiability procedure for T₁ ∪ T₂.

The Nelson-Oppen procedure in general works as follows: The input φ is split into the φ₁ and φ₂ such that φ_(i) only contains symbols from Σ_(i) and φ₁ Λ φ₂ is equisatisfiable with φ. Each theory T_(i) decides the satisfiability of φ_(i) and returns unsatisfiable if φ_(i) is unsatisfiable in T_(i). Otherwise, the set of equalities implied by φ_(i) over the variables common to φ₁ and φ₂ are propagated to the other theory T_(j). The theory T_(j) adds these equalities to φ_(j) and the process is repeated until the set of equalities saturate.

Therefore, in addition to checking the satisfiability of a set of literals, each theory also has to derive all the equalities over variables that are implied by the set of literals. The satisfiability procedure is called equality generating if it can generate all such equalities.

If the formula φ_(i) is satisfiable, then theory T_(i) can generate satisfying assignments for the variables and symbols in φ_(i). If each theory can generate diverse assignments for the shared variables, then a satisfying assignment may be generated for the symbols and variables in φ. As explained hereinafter, aspects of the process of the present system are directed to generating equalities and satisfying assignments for general linear arithmetic covering both difference constraints and non-difference constraints.

Moving now to the concept of Lazy Theorem proving, in order to check the satisfiability of a formula ψ with arbitrary Boolean structure, many modern theorem provers use an encoding of ψ into a Boolean formula, and use a Boolean Satisfiability (SAT) solver to check the satisfiability of the Boolean formula. In particular, the formula ψ is checked using a Boolean SAT solver, after treating each atomic formula as a Boolean variable. If the SAT solver determines that the formula is unsatisfiable, then ψ is unsatisfiable. Otherwise, the satisfying assignment from SAT φ (a conjunction of literals from ψ) is checked for satisfiability using the Nelson-Oppen combination procedure described in the last section. If φ is satisfiable over the first-order theories, the formula ψ is satisfiable.

Embodiments of the present system will now be described with reference to FIGS. 1-4. The process for SLA constraints according to the present system may be implemented within a computing environment 200 as explained below with reference to FIG. 4, and may provide a result which may be stored within and reported by the computing environment. As used herein, reporting the results may include, but is not limited to, displaying the results over a monitor associated with the computing environment, printing the results with a printer associated with the computing environment, sending the results to a speaker associated with the computing environment, communicating the result over a transmission medium, and sending the results to a file for storage or use by another application program.

In the following description, φ≐Λ_(i) (Σ_(j) a_(i,j)*x_(j)≦c_(i)) is the conjunction of a set of integer or rational linear arithmetic constraints over a set of variables X. The set of constraints is partitioned in φ into the set of difference constraints φ_(D) and the non-difference constraints φ_(L), such that φ=φ_(D) Λ φ_(L). In the following description, D is the set of variables that appear in φ_(D), L is the set of variables that appear in φ_(L) and Q is the set of variables in D ∩ L. The variable x_(orig) is assumed to denote the origin, always belonging to D, and any x

c constraint has been converted to x

x_(orig)+c.

A set of constraints φ is defined to be SLA constraints if the fraction |L|/|D|<<1, for example on the order of 0.05. This also implies that |Q|/|D|<<1. According to embodiments of the present system, an efficient decision procedure is devised for SLA constraints, such that the complexity is polynomial in D but, in embodiments, exponential only over L. This is useful for solving integer linear constraints, where the complexity of the decision problem is NP-complete. For rational linear arithmetic, the procedure will still retain its polynomial complexity, but will improve the robustness on practical benchmarks by mitigating the effect of the general linear arithmetic solver.

In embodiments, an process is further provided for checking the satisfiability of a set of SLA constraints that has polynomial complexity in the size of the difference constraints. Moreover, the space complexity of the process is almost linear in the size of the difference constraints. Finally, assuming there is a decision procedure for integer linear arithmetic that generates satisfying assignments, the process can generate an integer solution when the input SLA formula is satisfiable over integers.

In the following description, φ is a set of linear arithmetic constraints as above, and Q is the set of variables common to the difference constraints φ_(D) and non-difference constraints φ_(L). The SLA-SAT process according to embodiments of the present system is a decision procedure for (integer and rational) linear arithmetic. Moreover, it also generates a satisfying assignment when the constraints are satisfiable.

Embodiments of the SLA-SAT process operate according to the steps shown in FIG. 1. In step 100, the process checks the satisfiability of φ_(D) using a negative cycle detection algorithm.

In step 102, if φ_(D) is unsatisfiable, the process reports an unsatisfiable result. As indicated, the reporting step may include but is not limited to, displaying that the result is unsatisfiable over a monitor associated with the computing environment, printing that the result is unsatisfiable with a printer associated with the computing environment, sending the result to a speaker associated with the computing environment, communicating that the result is unsatisfiable over a transmission medium, and sending the fact of an unsatisfiable result to a file for storage or use by another application program.

If φ_(D) is instead unsatisfiable, in a step 104, SP(x,y) is used to describe the length of the shortest path from the (vertices corresponding to) variable x to y in the graph induced by φ_(D). In a step 106, the set of difference constraints is generated over Q:

φ_(Q) ≐Λ {y−x≦d|x ε Q, y ε Q, SP (x, y)=d},   (1)

In step 108, the process checks the satisfiability of φ_(L) Λ φ_(Q) using a linear arithmetic decision procedure. If φ_(L Λ φ) _(Q) is unsatisfiable, then the process reports an unsatisfiable result in step 110. Otherwise, ρ_(L) is a satisfying assignment for φ_(L) Λ φ_(Q) over L (step 112).

In step 114, the process generates a satisfying assignment ρ_(D) to the formula φ_(D) ΛΛx ε Q (x=ρL(x)), using a negative cycle detection algorithm. In step 116, Σ_(x)≐ρ_(D) ·ρ_(L) is returned as a satisfying assignment for φ.

The satisfying assignment for φ may be stored by the computing system environment in step 116, and reported in step 118. As indicated above, reporting the results may include, but is not limited to, displaying the results over a monitor associated with the computing environment, printing the results with a printer associated with the computing environment, sending the results to a speaker associated with the computing environment, communicating the result over a transmission medium, and sending the results to a file for storage or use by another application program.

An unsatisfiable state is returned only when a set of constraints implied by φ is detected to be unsatisfiable. To show that the process is complete (for both integer and rational arithmetic), it can be seen that if φ_(D) and φ_(L Λ φ) _(Q) are each satisfiable, then φ is satisfiable. This is achieved by showing that a satisfying assignment ρ_(L) for φ_(L) Λ φ_(Q) can be extended to an assignment ρ_(x) for φ, such that φ is satisfiable.

The following Lemma 1 demonstrates that if the assignment ρ_(L) over L satisfies φ_(L) Λ φ_(Q), then the assignment ρ_(x) over X satisfies φ.

Lemma 1:

First, for any variable x ε Q, ρ_(D) (x)=ρ_(L) (x), since ρ_(D) has to satisfy Λ_(xεQ) (x=ρ_(L)(x)). Hence, if it can be shown that in Step 114, φ_(D)ΛΛ_(xεQ) (x=ρ_(L)(x)) is satisfiable, then ρ_(x) satisfies φ_(D) and φ_(L).

Assume that ψ ≐[φ_(D)ΛΛ_(xεQ) (x=ρ_(L)(x))] is unsatisfiable. Consider the graph Gψ(V,E) induced by the formula ψ (as described in Section 2): First, add an edge for each constraint in Φ_(D). Secondly, each constraint x=ρ_(L)(x), is broken up into a pair of constraints x−x_(orig)≦ρ_(L) (x) and x_(orig)−x≦−ρ_(L) (x), and then the corresponding edges are added to the graph. Let T⊂E be the set of edges in Gψ resulting from the addition of edges for all the x=ρ_(L)(x) constraints.

Since ψ is unsatisfiable, there has to be a (simple) cycle C with negative weight in the graph. Moreover, it is known that φ_(D) is satisfiable. Therefore, the negative cycle contains at least one edge from T. Since C is a simple cycle, at most two edges from T can be present in C. Let the edges in C be [(x_(orig),x₁), (x₁,x₂), . . . , (x_(k),x_(orig))]. Let w₁,w₂, . . . , w_(k+1) be the weights of these edges in C, such that Σ_(i)w_(iε [1,k+1])<0.

Assume further that C contains exactly one edge t ε T, such that either (x_(orig),x₁) or (x_(k),x_(orig)) belong to T. The two subcases are as follows:

-   -   1. Let (x_(k),x_(orig)) ε T, representing the constraint         x_(orig)−x_(k)≦w_(k+1). This means that the constraint         x_(orig)−x_(k)=w_(k+1), or otherwise ρ_(L)(x_(k))=−w_(k+1), is         present in ψ. Since C forms a negative cycle,         Σ_(i)w_(iε[1.k])<−w_(k+1). Therefore, there is a path from         x_(orig) to x_(k) in Gψ (without any T edges) with a weight less         than −w_(k+1). This implies that the constraint         x_(k)−x_(orig)<−w_(k+1), or equivalently x_(k)<−w_(k+1), was         implied by φ_(D), and therefore was implied by φ_(Q). Since         ρ_(L) satifies φ_(Q), this leads to a contradiction.     -   2. Let (x_(orig), x₁) ε T, meaning that ρL(x₁)=w₁. By a         reasoning similar to the previous subcase, it can be shown that         the graph Gψ (without any T edges) implies the constraint x₁>w₁,         which leads to a contradiction.

In the case when both (x_(orig),x₁) and (x_(k),x_(orig)) belong to T, this means that ρ_(L)(x₁)=w₁, and ρ_(L)(x_(k))=−w_(k+1). However, C implies that there is a path from x₁ to x_(k) of length Σ_(i)w_(iε[2,k])<−w₁−w_(k+1), implying x_(k)−x₁<−w₁−w_(k+1). This contradicts with the assignment ρ_(L), since Φ_(Q) should imply x_(k)−x₁<−w₁−w_(k+1).

This completes the proof.

If all the coefficients and constants in φ are integral, and ρ_(L) is integral, then the assignment ρ_(x) assigns integral values to X. This is because the negative cycle detection algorithms assign integral values when the edge weights are integral.

Since a model for φ_(Q) can be extended to be a model for φ_(D), Lemma 1 also shows another corollary: where P≐D\Q is the set of variables local to φ_(D), then φ_(Q)

(∃P: φ_(D)). The corollary holds that φ_(Q) is the result of quantifier elimination of the variables D\Q local to φ_(D). Hence, for any constraint ψ over Q, φ_(D)

ψ if and only if φ_(Q)

ψ.

Given m difference constraints over n variables, the complexity of the negative cycle detection algorithm may be denoted NCD(n, m). The space complexity for NCD(n, m) is O(n+m), and the upper bound of the time complexity is O(n.m), although many algorithms have a better complexity. Similarly, with m constraints over n variables, the complexity of the linear arithmetic procedure under consideration may be denoted LAP(n,m). For example, if Simplex is used as the (rational) linear arithmetic decision procedure, then the space complexity for LAP(n,m) is O(n,m) and the time complexity is polynomial in n and m in practice. Finally, for a set of constraints ψ, |ψ| denotes the number of constraints in ψ.

The following describes the complexity of the SLA-SAT procedure shown in the flowchart of FIG. 1. Step 100 takes NCD(|D|, |Φ_(D)|) time and space complexity. Step 104 requires generating shortest paths between every pair of variables x ε Q and y ε Q. This can be obtained by using a variant of Johnson's algorithm for generating all-pair-shortest-paths for a graph G(V, E ). See, T. H. Cormen, C. E. Leiserson, and R. L. Rivest, “Introduction to Algorithms,” MIT Press, 1990, which publication is incorporated by reference herein in its entirety. The process has linear space complexity O(|V|+|E|) in V and E. Assuming a negative cycle detection algorithm has already performed, the time complexity of the process is O(|V|².log(|V|).

Instead of generating all-pair-shortest-paths for every pair of vertices using Johnson's algorithm, the SLA-SAT process may be used to compute the shortest path from a subset V′⊂V to every other vertices. This makes the time complexity of the process O(|V¹|. |V|.log(|V|)) from O(|V|².log(|V|)). Since Step 100 already performs a negative cycle detection algorithm, and the shortest paths is computed from only the vertices in Q⊂D, the additional complexity of Steps 102-106 is O(|Q|. |φ_(D)|) Since in most cases, |Q|/|D|<<1, this is more efficient than just using Johnson's algorithm for all-pair-shortest-paths, that has complexity O(|D|. |φ_(D)|).

The complexity of Steps 108-112 is LAP(|L|, |φ_(Q)|+|φ_(L)|). Finally, Steps 114-116 incurs another NCD(|D|, |φ_(D)|) complexity, since at most |Q| constraints are added as x=ρ_(L)(x) constraints to φ_(D). Thus, the present system is able to solve the difference and non-difference constraints using linear or near-linear space.

The following describes the extension of the basic SLA-SAT process to generate the equalities between variables implied by the constraint φ. Equality generation is useful for combining the linear arithmetic decision procedure with other decision procedures in the Nelson-Oppen combination framework. The description sets forth the requirements from the difference and the non-difference decision procedures in SLA-SAT to generate all equalities implied by φ.

In the following description it is assumed that φ is satisfiable. Previously used notations (e.g., φ_(D), φ_(L), etc.) are used below as well. Referring to the flowchart of FIG. 2, the steps of the procedure include the following. In step 120, φ_(Q) is generated. In step 122, φ_(Q) Λ φ_(L) is solved using linear arithmetic decision procedure. In step 124, the set of equalities is generated (with offsets) implied by φ_(Q) Λ φ_(L):

ε₁ ≐{x=y+c|x ε L, y ε L, and (φ_(Q) Λ φ_(L)))

x=y+c},   (2)

from the linear arithmetic decision procedure.

In step 126, ε₂ ⊂ε₁ is designated as the set of equalities over the variables in Q:

ε₂ ≐{x=y+c|x ε Q, y ε Q, x=y+c ε ε ₁)   (3)

In step 128, all the implied equalities (with offset) are generated from ε₂ (interpreted as a formula by conjoining all the equalities in ε₂) and φ_(D):

ε₃ ≐{x=y+c|x ε D, y ε D, (φ_(D) Λ ε₂)

x=y+c}  (4)

In step 130, the set of equalities ε implied by ε₁ and ε₃ is the set of equalities implied by φ:

ε≐{x=y|x ε X, y ε X, (ε₁ Λ ε₃)

x=y}  (5)

In step 132, the set of equalities ε may be stored by the computing system environment in step 132 and reported in step 134.

A proof for the equality generating process is set forth below. First, a few intermediate lemmas are set forth and proofs provided.

For a set of linear arithmetic constraints A≐{e₁, . . . , e_(n)}, a linear combination of A is defined to be a summation Σ_(ejεA) c_(j).e_(j), such that each c_(j) ε Q and non-negative.

Lemma 2. Let φ_(A) and φ_(B) be two sets of linear arithmetic constraints over variables in A and B respectively. If u is a linear arithmetic term over A\B and v is a linear arithmetic term over B such that φ_(A) Λ φ_(B)

u

v, then there exists a term t over A ∩ B such that:

1. φ_(A)

u

t, and

2. φ_(B)

t

v,

where

is either ≦or ≧

The proof is as follows. For the case where

is ≦(the reasoning is the same for ≧), let Φ_(A)≐{e₁, . . . e_(n)} and Φ_(B)≐{e′₁, . . . , e′_(m)} be the set of constraints. As Φ_(A) Λ Φ_(B)

u≦v, there exists a set of non-negative constants {c₁, . . . ,c_(n),c′₁, . . . ,c′_(m)} such that:

$u \leq v \equiv {{\sum\limits_{e_{j} \in {\varphi \; A_{-}}}{{cj} \cdot {ej}}} + {\sum\limits_{e_{j}^{\prime} \in {\varphi \; B}}{c_{j}^{\prime} \cdot e_{j}^{\prime}}}}$

Since the set of constraints in Φ_(A) and Φ_(B) only share variables over A ∩ B, it can be seen that Σ_(ejεΦA)c_(j).e_(j)≡(u−t≦0) and Σ_(e′jεΦB)c′_(j).e′_(j)≡(−v+t≦0), where t is a linear term over A ∩ B. Therefore, φ_(A)

u≦t and φ_(B)

t≦v. This lemma is a variation of the lemma that appears in G. Yorsh and M. Musuvathi, “A combination method for generating interpolants,” In CADE 05: Conference on Automated Deduction, LNCS 3632, pages 353-368. Springer-Verlag, 2005, which publication is incorporated by reference herein in its entirety.

For the set of satisfiable difference constraints φ_(D)≐{e₁, . . . , e_(n)}, a linear combination Σ_(ejεφD) c_(j).e_(j), is said to contain a cycle (respectively a path from x to y) if there exists a subset of constraints in φ_(D) with positive coefficients (i.e., c_(j)>0) in the derivation, such that they form a cycle (respectively a path from x to y) in the graph induced by φ_(D).

Lemma 3. For any term t over D, if φ_(D)

t≦0, then there exists a linear derivation of t≦0 that does not contain any cycles.

The proof is as follows. Assuming that the derivation of t≦0 from Φ_(D) contains A≐{e′₁, . . . , e′_(m)}⊂ φ_(D), that appear with non-zero coefficients c′₁, . . . c′_(m) respectively, and [e′₁, . . . e′_(m)] forms a cycle in the graph induced by φ_(D).

Since φ_(D) is satisfiable, any cycle in the graph has a non-negative weight. Therefore, Σ_(ejεA)c′_(j).e′_(j)≡0≦d, for some d≧0. Hence, t≦0 can be derived by reducing the coefficients of each e′_(j) ε A by the minimum c′_(j) in this set and adding the constraint 0≦1 with the same coefficient. This process may be repeated until there are no cycles in the derivations.

Lemma 4 (Difference-Bounds Lemma). Let x, y ε D\Q, t be a term over Q, and φ_(D) a set of difference constraints.

1. If φ_(D)

x

t, then there exists terms u₁, u₂, . . . , u_(n) such that all of the following are true:

(a) Each u_(i) is of the form x_(i)+c_(i) for a variable x_(i) ε Q and a constant c_(i),

(b) φ_(D)

Λ_(i) x

u_(i), and

(c) φ_(D)

1/n. Σ_(i) u_(i)

t

2. If φ_(D)

x−y

t, then there exists terms u₁, u₂, . . . , u_(n) such that all of the following are true:

(a) Each u_(i) is either of the form c_(i) or x_(i)−y_(i)+c_(i) for variables x_(i), y_(i) ε Q and a constant c_(i),

(b) φ_(D)

Λ_(i) x−y

u_(i), and

(c) φ_(D)

1/n. Σ_(i) u_(i)

t

where

is one of ≦ or ≧.

The proof of this lemma is as follows. The proof makes use of a novel concept to split a linear combination of difference constraints to yield the desired results.

The proof is illustrated for the cases when

is ≦. The case for ≧ is similar. Two observations are made that are used for proving both parts of the lemma:

1. It is well known that for a set of linear constraints φ≐{e₁, . . . , e_(k)} over Q, and a linear arithmetic constraint ψ, φ

ψ if and only if there exists a set of non-negative constants {m₁, . . . , m_(k)} in Q, such that:

$\psi \equiv {\sum\limits_{e_{i} \in \phi}{m_{i} \cdot e_{i}}}$

This means that if φ

ψ, then there exists a set of non-negative integer constants {n₁, . . . , n_(k)} and a non-negative constant n such that

${n \cdot \psi} \equiv {\sum\limits_{e_{i} \in \phi}{n_{i} \cdot e_{i}}}$

Let p_(i)/q_(i) be the rational representation of m_(i). The constant n is simply the least common multiple of q₁, . . . , q_(k), and each n_(i) is n.p_(i)/q_(i).

For the set of difference constraints φ_(D)≐{e₁, . . . , e_(k)}, an integer linear combination of the constraints Σ_(eiεφD)n_(i).e_(i) (where each n_(i) is a non-negative constant in Z), can be represented as a multi-graph G, where there are n_(i) (possibly 0) copies of the edge corresponding to e_(i). For any vertex z ε D, the indegree(z) is the number of edges of the form z−w_(i)≦c_(i), where w_(i) ε D; similarly, the outdegree(z) is the number of edges of the form w_(i)−z≦c_(i) in the graph.

Case 1: Case 1 of the Lemma 4 may be proved as follows. Assume that Φ_(D)

x≦t, for some x ε D\Q. Therefore, there exists non-negative integer constants {n₁, . . . , n_(k)} and n, such that:

$\left( {\sum\limits_{e_{i} \in {\varphi \; D}}{n_{i} \cdot e_{i}}} \right) \equiv \left( {{{n \cdot x} - {n \cdot t}} \leq 0} \right)$

Referring now to the multigraph G induced by the linear combination Σ_(eiεφD) n_(i).e_(i), it may be seen that the following statements are true for this graph G:

For any vertex z ε (D\Q)\{x}, indegree (z)=outdegree (z).

For the vertex x, indegree (x)−outdegree (x)=n.

Since φ_(D) is satisfiable and it has been assumed that the derivation is irredundant, it can be assumed (using Lemma 3) that there are no cycles in this multigraph.

A process of iteratively enumerating a set of n paths from the graph G will now be described, where each path corresponds to a constraint x≦x_(i)+c_(i), where x_(i) ε Q. After each path has been enumerated, the edges in the path are removed from the graph. For each path, an edge x≦z₁+d₁ is taken and extended until a vertex is reached in Q. This is possible since all the vertices in (D\Q)\{x} have equal indegree and outdegree, and there are no cycles. Let the path enumerated have the sequence of edges x≦z₁+d_(1,) z₁≦z₂+d₂, . . . z₁≦x_(i)+c_(i), where x_(i) ε Q. Observe that the indegree and outdegrees of the intermediate vertices {z_(i)} remain equal even after the path has been removed, and the measure indegree (x)−outdegree (x) decreases by 1.

By repeating the above process n times, a set of n paths may be obtained that sum up to x≦x_(i)+c_(i), for 1≦i≦n, where x_(i) ε Q. Let G′ be the final graph obtained after removing the paths from G. Since the graph G represented the sum n.x−n.t, and the n paths represent the sum n.x−Σ_(i) (x_(i)+c_(i)), the constraints in the graph G′ represent the sum Σ_(i) (x_(i)+c_(i))−n.t. Moreover since each constraint is ≦0, the resultant constraints are ≦0.

Hence, the linear combination Σ_(eiεφD)n_(i).e_(i) may be split into two linear combinations that represent: (a) x≦x_(i)+c_(i), for 1≦i≦n, such that x_(i) ε Q; and (b) Σ_(i) (x_(i)+c_(i))−n.t≦0 or 1/n. Σ_(i) (x_(i)+c_(i))≦t. The terms x_(i)+c_(i) are the desired u_(i)s in the case 1 of the Lemma.

Case 2: The second case is similar to the first case in many respects and uses the same methodology to split the linear combination into two linear combinations.

Let φ_(D)≐{e₁, . . . e_(k)}. Since φ_(D)

x−y≦t, there exists non-negative integer constants {n₁, . . . , n_(k)} and n such that:

$\left( {\sum\limits_{e_{i} \in {\varphi \; D}}{n_{i} \cdot e_{i}}} \right) \equiv \left( {{{n \cdot x} - {n \cdot y} - {n \cdot t}} \leq 0} \right)$

Once again, looking at the graph G induced by the linear combination, this graph now has the following properties:

For the vertex x, indegree (x)−outdegree (x)=n.

For the vertex y, outdegree (y)−indegree (y)=n.

For any other vertex z ε (D\Q)\{x,y}, indegree (z)=outdegree (z).

There are no cycles in the graph G.

The paths from x may now be enumerated starting with edges of the form x≦z_(i)+c_(i), until either (i) a vertex x_(i) ε Q or (ii) y is reached. Similarly, the paths (ending at y) from y may be enumerated starting with edges of the form z_(i)+c_(i)≦y, until (i) a vertex y_(i) ε Q or (ii) x is reached.

The paths from y to x are enumerated first. Each of these paths represent the constraint x−y≦c_(i) for some constant c_(i) representing the weight of the path. Removal of these paths reduce the indegree (x)−outdegree (x) and the outdegree (y)−indegree (y) measure by 1, keeping the indegree (z)=outdegree (z) for all other z ε D\Q. Let there be m such paths between y and x.

From the remainder graph, n−m paths may be enumerated, representing x≦x₁+c′_(i) and y_(i)+d′_(i)≦y for 1≦i≦n−m where {x_(i),y_(i)}⊂Q. For each 1≦i≦n−m, the sum of the constraints representing x≦x_(i)+c′_(i) and y_(i)+d′_(i)≦y will yield the desired constraints x−y≦x_(i)−y_(i)+c_(i), where ci≐(c′_(i)+d′_(i)). Therefore φ_(D) imply x−y≦u_(i), where u_(i) ε {c_(i),x_(i)−y_(i)+c_(i)} for 1≦I≦n. Moreover, since the sum of the constraints removed from G sums up to n.x−n.y−Σ_(i)u_(i) the sum of the remaining constraints in the graph would yield Σ_(i)u_(i)−n.t≦0, or 1/n. Σ_(i)u_(i)≦t.

Lemma 5 (Sandwich Lemma). Let I₁, I₂, . . . I_(m) and u₁, u₂, . . . u_(n) be terms such that Λ_(i1j) I_(i)≦u_(j). Let I_(avg)=1/m. Σ_(i)I_(i) and u_(avg)=1/n. Σ_(j) u_(j) be the respective average of these terms. If I and u are terms such that I≦I_(avg) and u_(avg)≦u, then

$l = {\left. u\Rightarrow{\underset{i,j}{\Lambda}l_{i}} \right. = {u_{j} = l}}$

The proof is as follows. Let I=u. To prove by contradiction, without loss of generality, assume I₁<u₁. Thus, n.I₁<Σ_(j) u_(j) and n.I_(i)≦Σ_(j) u_(j) for 1<i≦m. Therefore, n. Σ_(i)<m. Σ_(j) u_(j), which implies that I<u, a contradiction. As a result, I_(j)=u_(j) for every i, j. Moreover, I_(avg)=u_(avg)=I₁. Thus, I=I₁ proving the lemma.

Given the above lemmas, the correctness of the equality propagation process may be proven. That is, that for two variables x ε X and y ε X, φ

x=y if and only if x=y ε ε.

The proof is as follows. Case 1: The easiest case to handle is the case when both x; y ε L. Thus, ∃D\L: φ=φ_(Q) Λ φ_(L)

x=y. Therefore, the equality x=y is present in ε₁ and thus in ε.

Case 2: Consider the case when one of the variables, for example, x ε D\L while y ε L. That yields φ

x≦y Λ x≧y. Applying Lemma 2 twice, there exists terms t; t¹ ε Q such that:

φ_(D)

x≦t Λ x≧t¹   (6)

φ_(L)

t≦y Λ t¹≧y   (7)

However, φ_(D) Λ φ_(L)

x=y=t=t¹. As t, t¹ ε Q, that yields:

φ_(Q) Λ φ_(L)

t=t¹=y.   (8)

Using Lemma 4 twice on Equation 6, there exists terms u₁, . . . , u_(m) and terms I₁, . . . , I_(n) all of the form v+c for a variable v ε Q and a constant c such that:

$\left. \varphi_{D}\Rightarrow{{\bigwedge\limits_{i}x} \leq {{u_{i}\bigwedge{1/m}} \cdot {\sum\limits_{i}u_{i}}} \leq t} \right.$ $\left. \varphi_{D}\Rightarrow{{\bigwedge\limits_{j}x} \geq {{l_{j}\bigwedge{1/n}} \cdot {\sum\limits_{j}l_{j}}} \leq t^{\prime}} \right.$

As the terms u_(i) and _(Ij) are terms over Q, that yields:

$\left. \varphi_{Q}\Rightarrow{{\bigwedge\limits_{i,j}l_{j}} \leq {{u_{i}\bigwedge{1/m}} \cdot {\sum\limits_{i}u_{i}}} \leq {{t\bigwedge{1/n}} \cdot {\sum\limits_{j}l_{j}}} \geq t^{\prime}} \right.$

Using Lemma 5 and Equation 8, that yields:

$\left. {\varphi_{Q}\bigwedge\varphi_{L}}\Rightarrow{\bigwedge\limits_{i,j}l_{j}} \right. = {u_{i} = {t = {t^{\prime} - y}}}$

All of the above equalities belong to ε₁. Moreover, the equalities between _(Ij) and u_(i) are present in ε₂. Thus, the equality x=I_(j)=u_(i) is present in ε₃. Thus x=y is in ε.

Case 3: The final case involves the case when x, y are both in D\L. The proof is similar to Case 2. φ

x−y≦0 Λ x−y≧0. Applying Lemma 2 twice, there exists terms t; t¹ ε Q such:

φ_(D)

x−y≦t Λ x−y≧t ¹   (9)

φ_(L)

t≦0 Λ t ¹≦0   (10)

However, φ_(D) Λ φ_(L)

x−y=0=t=t¹. As t, t¹ ε Q, that results in:

φ_(Q) Λ φ_(L)

t=t¹=0.   (11)

Using Lemma 4.2 above twice on Equation 9, there exists terms u₁, . . . , u_(m) and terms I₁, . . . , I_(n) all of the form u−v+c for a variable u, v ε Q and a constant c such that:

$\left. \varphi_{D}\Rightarrow{{{\bigwedge\limits_{i}x} - y} \leq {{u_{i}\bigwedge{1/m}} \cdot {\sum\limits_{i}u_{i}}} \leq t} \right.$ $\left. \varphi_{D}\Rightarrow{{{\bigwedge\limits_{j}x} - y} \geq {{l_{j}\bigwedge{1/n}} \cdot {\sum\limits_{j}l_{j}}} \leq t^{\prime}} \right.$

As the terms u_(i) and I_(j) are terms over Q, that results in:

$\left. \varphi_{Q}\Rightarrow{{\bigwedge\limits_{i,j}l_{j}} \leq {{u_{i}\bigwedge{1/m}} \cdot {\sum\limits_{i}u_{i}}} \leq {{t\bigwedge{1/n}} \cdot {\sum\limits_{j}l_{j}}} \geq t^{\prime}} \right.$

Using Lemma 5 and Equation 11, that yields:

$\left. {\varphi_{Q}\bigwedge\varphi_{L}}\Rightarrow{\bigwedge\limits_{i,j}l_{j}} \right. = {u_{i} = {t = {t^{\prime} = 0}}}$

All of the above equalities belong to ε₁. Moreover, the equalities between I_(j) and u_(i) are present in ε₂. Thus, the equality x=I_(j)=u_(i) is present in ε₃. Thus x=y is in ε.

An instantiation of the SLA framework is now described, using the Simplex algorithm for solving general linear arithmetic constraints. The Simplex algorithm (although having a worst case exponential complexity) is a practical method for solving linear arithmetic constraints, when the variables are interpreted over rationals. Although Simplex is incomplete for integers, various heuristics have been devised to solve most integer queries in practice. See, for example, D. L. Detlefs, G. Nelson, and J. B. Saxe, “Simplify: A theorem prover for program checking,” Technical report, HPL-2003-148, 2003, which publication is incorporated by reference herein in its entirety.

The following description demonstrates how to generate all equalities with offsets between a pair of variables, i.e. all the x=y+c equalities implied by a set of linear constraints. The implementation of Simplex in Simplify can generate all possible x=y equalities implied by a set of constraints. The same Simplex implementation also allows generating all x=y+c, without any additional overhead (see, for example, Lemma 4 in Section 8 of the above-described incorporated publication to Detlefs, Nelson and Saxe, which almost immediately generalizes to give the desired result and which details the Simplex implementation in Simplify).

A Simplex tableau is used to represent a set of linear arithmetic constraints. As is known, a Simplex tableau is the main data structure in the implementation of the simplex algorithm using tables, or tableaux, to represent calculations and intermediate steps to completing a problem. The first step is to form an initial tableau. Each linear inequality is first converted to linear equality by the introduction of a slack variable. The Simplex tableau is a two-dimensional matrix that consists of the following:

-   -   Natural numbers n and m for the number of rows and columns for         tableau respectively, and a column dcol, where 0≦dcol≦m. The         columns 1 through dcol are called the dead columns.     -   The identifiers for the rows y [0], . . . , y [n] and the         identifiers for the columns x [1], . . . , x [m], where each row         or column identifier corresponds to a variable in the         constraints, including the slack variables. The column 0         corresponds to the constant column. u, u₁ etc. are used to range         over the row and column identifiers.     -   A two dimensional array of rational numbers a [0, 0], . . . , a         [n, m].     -   A subset of identifiers in y [0], . . . , y [n], x [1], . . . ,         x [m] also have a sign ≧.

Each row in the tableau represents a row constraint of the form:

$\begin{matrix} {{y\lbrack i\rbrack} = {{a\left\lbrack {i,0} \right\rbrack} + {\sum\limits_{1 \leq j \leq m}{{a\left\lbrack {i,j} \right\rbrack}*{x\lbrack j\rbrack}}}}} & (12) \end{matrix}$

For any identifier u with a sign ≧, the sign constraint represents u, ≧0. Such an identifier u is said to be restricted. Finally, for all 1≦j≦dcol, x [j]=0, represents the dead column constraints.

The set of solutions to the row constraints and the dead column constraints, together termed as hyperplane constraints (i.e. ignoring the sign constraints) is referred to as hyperplane solution set (HPlaneSoln) and the set of solutions considering all the three types of constraints (together called the tableau constraints) is referred to as the tableau solution set (TablSoln).

The consistency of a Simplex Tableau may be tested. For a tableau T, a row variable y [i] is manifestly maximized if every non-zero entry a [i, j] for j>dcol, is negative and lies in a column whose variable x [j] is restricted. It may be seen that if a tableau is in a state where a restricted row variable y [i] is manifestly maximized, but a [i, 0]<0, then the set of constraints is infeasible. Such a tableau is called infeasible.

The sample point of a tableau corresponds to the solution obtained by setting each of the column variables x [j] to 0 and setting each of the y [i] to a [i, 0]. If a set of constraints is satisfiable, then there exists a configuration of the tableau, where the sample point satisfies and belongs to TablSoln.

Assuming a feasible tableau for a set of satisfiable constraints, the next consideration is reaching a feasible tableau after adding a new constraint. If the sample point after adding the new constraint does not satisfy all the sign constraints, then an operation called pivot can be repeatedly applied until (a) the sample point satisfies all the sign constraints, or (b) the tableau becomes infeasible (denotes unsatisfiability). The pivot operation swaps a row and a column of the tableau, but preserves each of the constraints. This is the high-level algorithm for checking the satisfiability of a set of constraints using Simplex.

A set of constraints is satisfiable if and only if there is a feasible tableau for the constraints. It is possible to further infer some classes of affine equalities from the Simplex tableau. In addition to being feasible, the tableau needs additional constraints to generate certain classes of equalities.

Two variables (row or column) u₁ and u₂ are defined to be manifestly equal in the tableau, if and only if either (i) both u₁ and u₂ are row variables and their rows are identical except for the dead columns, or (ii) both u₁ and u₂ are dead columns, or (iii) u₁ is a row variable y [i] and u₂ is a column variable x [j] and a[i, j]=1 is the only non-zero entry for row i outside the dead columns, or (iv) one of u₁ or u₂ is dead column variable, and the other is a row variable whose all non dead column entries are 0.

Assuming that the y [0] of the Simplex tableau is the special row Zero to denote the value 0, this row is identically 0 in every configuration of the tableau. Next, a tableau may be defined to be minimal if and only if every row or column variable u is either manifestly equal to Zero or has a positive value in some solution in TablSoln. As is known in the art, the Simplex implementation in Simplify provides an implementation of obtaining a minimal tableau for a set of constraints. The lemma that that may be used for minimal tableau is the following:

Lemma 6 (Lemma 2 in Detlefs, Nelson and Saxe, incorporated above). For a feasible and minimal tableau, and any affine function f over the row and column variables,

f=0 over TablSoln

f=0 over HPlaneSoln   (13)

The generalization of Lemma 2 is now presented that allows equality generation to be extended to include offsets:

Lemma 7 (Generalization of Lemma 2 in Detlefs, Nelson and Saxe, incorporated above). For any two variables u₁ and u₂ in the tableau, the hyperplane constraints imply u₁=u₂+c, where c is a rational constant, if and only if at least one of the following conditions hold:

-   -   1. u₁ and u₂ are manifestly equal (in this case c=0), or     -   2. both u₁ and u₂ are row variables y[i] and y[j] respectively,         and apart from the dead columns only differ in the constant         column, such that a[i, 0]=a[j, 0]+c, or     -   3. u₁ is a row variable y[i], u₂ is a (possibly dead) column         variable x[j], and the only non-zero entries apart from the dead         columns in row i are a[i, 0]=c and a [i, j]=1.

The proof is as follows. Significant to the proof (as in Detlefs, Nelson and Saxe, incorporated above) is that each of the row or column variable can be expressed as an affine combination over the live (non-dead) column variables. For each row 0≦i≦n:

y[i]=a[i, 0]+Σ_(dcol<j≦m) a[i, j]*x[j].   (14)

Similarly, for each live column dcol <j≦m

x[j]=0+Σ_(dcol<k≦m)δ_(j,k) *x[k].   (15)

where δ_(j,k)=1 if j=k and 0 otherwise.

Finally, for any dead column in 0≦j≦dcol

x[j]=0+Σ_(dcol<k≦m) 0*x[k].   (16)

Since the variables in the live column are independent and can assume any arbitrary values, two variables u₁ and u₂ differ by a constant c (including c=0) if and only if the coefficients of the live column variables are identical in the two variables, and only the constant column differs by c. Note that the Lemma 2 in Detlefs, Nelson and Saxe, incorporated above, is restricted to c=0.

Therefore, obtaining the minimal tableau is sufficient to derive even x=y+c facts from Simplex. This is noteworthy because the Simplex implementation does not incur any more overhead in generating these more general equalities than simple x=y equalities. The only additional work that has to be done is to identify the pairs u₁ and u₂ that satisfy Lemma 7.

The following describes Inferring Equalities from NCD. The process for generating implied equalities between variables by the input formula φ is described above. This process requires generating equalities of the form x=y+c from the NCD component of SLA. The lemma is provided here.

Lemma 8 (Lemma 2 in Lahiri and Musuvathi, previously incorporated). An edge e in G_(φ) representing y≦x+c, e_(i) can be strengthened to represent y=x+c (called an equality-edge), if and only if e lies in a cycle of weight zero.

Hence, using Lemma 8, Lemma 7 and the theory set forth above that, two variables x ε X and y ε X, φ

x=y if and only if x=y ε ε, this provides a complete equality generating decision procedure over rationals.

The SLA decision procedure has been implemented in the Zap theorem prover (described for example in T. Ball, S. K. Lahiri, and M. Musuvathi. Zap: Automated theorem proving for software analysis. In Logic for Programming, Artificial Intelligence, and Reasoning, 12th International Conference, LPAR 2005, volume 3835 of LNCS, pages 2-22. Springer-Verlag, 2005, which publication is incorporated by reference herein in its entirety). The implementation uses the Bellman-Ford algorithm as the NCD algorithm and the Simplex implementation for the non-difference constraints.

FIGS. 3A and 3B show preliminary results comparing the process of the present system with two different implementations for solving linear arithmetic constraints. FIG. 3A shows the present system compared against Simplify-Simplex: the linear arithmetic solver in the Simplify theorem prover. FIG. 3B shows the present system compared against Zap-UTVPI: an implementation of UTVPI decision procedure in Zap. The Zap-UTVPI decision procedure is shown for example in W. Harvey and P. J. Stuckey, “A unit two variable per inequality integer constraint solver for constraint logic programming,” In Proceedings of the 20th Australasian Computer Science Conference (ACSC '97), pages 102-111, 1997, and J. Jaffar, M. J. Maher, P. J. Stuckey, and H. C. Yap, “Beyond finite domains,” In PPCP 94: Principles and Practice of Constraint Programming, LNCS 874, pages 86-94. Springer-Verlag, 1994, both of which publications are incorporated by reference herein in their entirety.

From FIG. 3A, it can be seen that the SLA implementation in Zap outperforms the Simplex implementation in Simplify, on a large number of examples. Simplify may be faster on smaller examples, but this can be attributed to the C# implementation of Zap.

It may also be concluded from FIG. 3A that the SLA process is able to solve several cases where Simplex gives an integer overflow. This is because Simplex algorithm performs a lot of multiplication and divisions of the coefficients in the Simplex tableau, and can cause integer overflows very often on large problems. However, by only using Simplex for solving a few constraints in SLA, an integer overflow may be avoided in most cases.

From FIG. 3B, it can be seen that the negative cycle detection based algorithm+Simplex based SLA implementation outperforms a transitive-closure based algorithm capable of handling just the UTVPI fragment of linear arithmetic. The main difference in performance comes from the linear-space negative cycle detection algorithm, compared to quadratic space complexity of the transitive closure algorithm.

The results also indicate that a combination procedure (such as outlined in Hossein M. Sheini and Karem A. Sakallah, “A scalable method for solving satisfiability of integer linear arithmetic logic,” In Theory and Applications of Satisfiability Testing, 8th International Conference, SAT 2005, volume 3569 of LNCS, pages 241-256. Springer, 2005) based on transitive closure is less efficient than the negative cycle detection+Simplex based SLA process.

While the Simplex algorithm has been described above as a useful algorithm for use in the present system for solving sparse linear arithmetic constraints, other known methods may be used, including for example Variable Elimination Methods (Hodes, Fourier-Motzkin, etc.), Shostak's loop residues and the above described separation theory by Bellman and Pratt.

FIG. 4 illustrates an example of a suitable general computing system environment 200 that may comprise any processing device shown herein on which the inventive system may be implemented. The computing system environment 200 is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the inventive system. Neither should the computing system environment 200 be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary computing system environment 200.

The inventive system is operational with numerous other general purpose or special purpose computing systems, environments or configurations. Examples of well known computing systems, environments and/or configurations that may be suitable for use with the inventive system include, but are not limited to, personal computers, server computers, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, laptop and palm computers, hand held devices, distributed computing environments that include any of the above systems or devices, and the like.

With reference to FIG. 4, an exemplary system for implementing the inventive system includes a general purpose computing device in the form of a computer 210. Components of computer 210 may include, but are not limited to, a processing unit 220, a system memory 230, and a system bus 221 that couples various system components including the system memory to the processing unit 220. The system bus 221 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus also known as Mezzanine bus.

Computer 210 may include a variety of computer readable media. Computer readable media can be any available media that can be accessed by computer 210 and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, random access memory (RAM), read only memory (ROM), EEPROM, flash memory or other memory technology, CD-ROMs, digital versatile discs (DVDs) or other optical disc storage, magnetic cassettes, magnetic tapes, magnetic disc storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by computer 210. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above are also included within the scope of computer readable media.

The system memory 230 includes computer storage media in the form of volatile and/or nonvolatile memory such as ROM 231 and RAM 232. A basic input/output system (BIOS) 233, containing the basic routines that help to transfer information between elements within computer 210, such as during start-up, is typically stored in ROM 231. RAM 232 typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit 220. By way of example, and not limitation, FIG. 4 illustrates operating system 234, application programs 235, other program modules 236, and program data 237.

The computer 210 may also include other removable/non-removable, volatile/nonvolatile computer storage media. By way of example only, FIG. 4 illustrates a hard disc drive 241 that reads from or writes to non-removable, nonvolatile magnetic media and a magnetic disc drive 251 that reads from or writes to a removable, nonvolatile magnetic disc 252. Computer 210 may further include an optical media reading device 255 to read and/or write to an optical media.

Other removable/non-removable, volatile/nonvolatile computer storage media that can be used in the exemplary operating environment include, but are not limited to, magnetic tape cassettes, flash memory cards, DVDs, digital video tapes, solid state RAM, solid state ROM, and the like. The hard disc drive 241 is typically connected to the system bus 221 through a non-removable memory interface such as interface 240, magnetic disc drive 251 and optical media reading device 255 are typically connected to the system bus 221 by a removable memory interface, such as interface 250.

The drives and their associated computer storage media discussed above and illustrated in FIG. 4, provide storage of computer readable instructions, data structures, program modules and other data for the computer 210. In FIG. 4, for example, hard disc drive 241 is illustrated as storing operating system 244, application programs 245, other program modules 246, and program data 247. These components can either be the same as or different from operating system 234, application programs 235, other program modules 236, and program data 237. Operating system 244, application programs 245, other program modules 246, and program data 247 are given different numbers here to illustrate that, at a minimum, they are different copies. A user may enter commands and information into the computer 210 through input devices such as a keyboard 262 and a pointing device 261, commonly referred to as a mouse, trackball or touch pad. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to the processing unit 220 through a user input interface 260 that is coupled to the system bus 221, but may be connected by other interface and bus structures, such as a parallel port, game port or a universal serial bus (USB). A monitor 291 or other type of display device is also connected to the system bus 221 via an interface, such as a video interface 290. In addition to the monitor, computers may also include other peripheral output devices such as speakers 297 and printer 296, which may be connected through an output peripheral interface 295.

The computer 210 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 280. The remote computer 280 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the computer 210, although only a memory storage device 281 has been illustrated in FIG. 4. The logical connections depicted in FIG. 4 include a local area network (LAN) 271 and a wide area network (WAN) 273, but may also include other networks. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.

When used in a LAN networking environment, the computer 210 is connected to the LAN 271 through a network interface or adapter 270. When used in a WAN networking environment, the computer 210 typically includes a modem 272 or other means for establishing communication over the WAN 273, such as the Internet. The modem 272, which may be internal or external, may be connected to the system bus 221 via the user input interface 260, or other appropriate mechanism. In a networked environment, program modules depicted, relative to the computer 210, or portions thereof, may be stored in the remote memory storage device. By way of example, and not limitation, FIG. 4 illustrates remote application programs 285 as residing on memory device 281. It will be appreciated that the network connections shown are exemplary and other means of establishing a communication link between the computers may be used.

The foregoing detailed description of the inventive system has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the inventive system to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. The described embodiments were chosen in order to best explain the principles of the inventive system and its practical application to thereby enable others skilled in the art to best utilize the inventive system in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the inventive system be defined by the claims appended hereto. 

1. A computer implemented method for solving linear arithmetic constraints including difference constraints and non-difference constraints, the computer implemented method comprising the steps of: a) solving for the difference constraints; b) solving for the non-difference constraints, wherein step a) retains polynomial complexity; and c) reporting the result solved for in at least of steps a) and b).
 2. A computer implemented method as recited in claim 1, wherein the time and space complexity of said step b) of solving for the non-difference constraints is determined by the difference constraint component solved in said step a) for sparse linear arithmetic constraints.
 3. A computer implemented method as recited in claim 1, further comprising the step c) of generating equalities over variables that are implied by the difference and non-difference constraints.
 4. A computer implemented method as recited in claim 1, further comprising the step c) of generating satisfying assignments for the variables in the difference and non-difference constraints in the event a satisfying assignment exists.
 5. A computer implemented method as recited in claim 1, wherein said step of generating satisfying assignments for the variables in the difference and non-difference constraints is performed using a negative cycle detection algorithm.
 6. A computer implemented method as recited in claim 1, wherein steps a) and b) can decide m difference constraints on n variables in at most O(n.m) time.
 7. A computer implemented method as recited in claim 1, wherein a space complexity of said steps a) and b) is linear or approximately linear in the size of the difference constraints.
 8. A computer implemented method as recited in claim 1, wherein steps a) and b) can decide m difference constraints on n variables in O(n+m) space complexity.
 9. A computer implemented method for solving linear arithmetic constraints including difference constraints and non-difference constraints, the computer implemented method comprising the steps of: a) checking the satisfiability of the difference constraints using a negative cycle detection algorithm; b) indicating when the difference constraints are unsatisfiable; c) describing a length of a shortest path from vertices corresponding to variable x to y in the graph induced by the difference constraints in the event the difference constraints are satisfiable in said step b); d) generating a set of difference constraints over the variables in common between the difference constraints and the non-difference constraints; and e) checking the satisfiability of φ_(L) Λ φ_(Q), where φ_(L) represents the non-difference constraints and φ_(Q) represents the difference constraints in common between the difference constraints and the non-difference constraints; and f) reporting the result of said step e) checking the satisfiability of φ_(L) Λ φ_(Q).
 10. A computer implemented method as recited in claim 9, further comprising the step d) of generating satisfying assignments for the variables in the difference and non-difference constraints in the event a satisfying assignment exists in said step c).
 11. A computer implemented method as recited in claim 9, wherein step d) retains polynomial complexity.
 12. A computer implemented method as recited in claim 9, wherein a space complexity of said step d) is linear or approximately linear in the size of the difference constraints.
 13. A computer implemented method as recited in claim 9, wherein said step e) is performed using a linear arithmetic decision procedure.
 14. A computer implemented method as recited in claim 13, wherein said step linear arithmetic decision procedure uses the Simplex algorithm.
 15. A computer implemented method as recited in claim 9, wherein said step b) is performed using a negative cycle detection algorithm.
 16. A computer implemented method as recited in claim 9, further comprising the step of generating implied equalities over variables that are implied by the difference and non-difference constraints.
 17. A computing system environment configured, at least in part, to perform a method of solving linear arithmetic constraints including difference constraints and non-difference constraints, the computer implemented method comprising the steps of: a) checking the satisfiability of the difference constraints using a negative cycle detection algorithm; b) describing a length of a shortest path from vertices corresponding to variable x to y in the graph induced by the difference constraints in the event the difference constraints are satisfiable in said step a); c) generating a set of difference constraints over the variables in common between the difference constraints and the non-difference constraints; d) checking the satisfiability of φ_(L) Λ φ_(Q), where φ_(L) represents the non-difference constraints and φ_(Q) represents the difference constraints in common between the difference constraints and the non-difference constraints; e) generating implied equalities over variables that are implied by the difference and non-difference constraints. f) generating satisfying assignments for the variables in the difference and non-difference constraints in the event a satisfying assignment exists in said step d).
 18. A computing system environment as recited in claim 17, wherein said step d) is performed using a linear arithmetic decision procedure.
 19. A computing system environment as recited in claim 17, wherein step e) of generating equalities uses the relationship that, for rational arithmetic, exchanging x=y+c facts is sufficient to generate equalities from the combined procedure.
 20. A computing system environment as recited in claim 17, wherein a space complexity of the method for solving linear arithmetic constraints is linear or approximately linear in the size of the difference constraints. 